tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

usb: class: cdc-wdm: fix reordering issue in read code path

Quoting the bug report:

Due to compiler optimization or CPU out-of-order execution, the
desc->length update can be reordered before the memmove. If this
happens, wdm_read() can see the new length and call copy_to_user() on
uninitialized memory. This also violates LKMM data race rules [1].

Fix it by using WRITE_ONCE and memory barriers.

Fixes: afba937e540c9 ("USB: CDC WDM driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Closes: https://lore.kernel.org/linux-usb/CALbr=LbrUZn_cfp7CfR-7Z5wDTHF96qeuM=3fO2m-q4cDrnC4A@mail.gmail.com/
Reported-by: Gui-Dong Han <hanguidong02@gmail.com>
Reviewed-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://patch.msgid.link/20260304130116.1721682-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Oliver Neukum and committed by
Greg Kroah-Hartman 8df672bf 3cbc242b

+3 -1
+3 -1
drivers/usb/class/cdc-wdm.c
··· 225 225 /* we may already be in overflow */ 226 226 if (!test_bit(WDM_OVERFLOW, &desc->flags)) { 227 227 memmove(desc->ubuf + desc->length, desc->inbuf, length); 228 - desc->length += length; 228 + smp_wmb(); /* against wdm_read() */ 229 + WRITE_ONCE(desc->length, desc->length + length); 229 230 } 230 231 } 231 232 skip_error: ··· 534 533 return -ERESTARTSYS; 535 534 536 535 cntr = READ_ONCE(desc->length); 536 + smp_rmb(); /* against wdm_in_callback() */ 537 537 if (cntr == 0) { 538 538 desc->read = 0; 539 539 retry: